C ++ disassembly code analysis-function call

Recommended reading:

C ++ disassembly code analysis-function call

C ++ disassembly code analysis-loop structure

C ++ disassembly code analysis-stealing Functions

Go to the memory and run the Assembly command to check the C/C ++ pointer.

CodeAs follows:

# Include "stdlib. H"

Int sum (int A, int B, int M, int N)
{
Return A + B;
}

Void main ()
{
Int result = sum (1, 2, 3, 4 );
System ("pause ");
}

There are four parameters of the sum function, and then the call to the sum function in the main method. In the debug environment, one-step debugging is as follows:

11: void main ()
12 :{
00401060 push EBP

; Save EBP. Before executing this sentence, esp = 0012ff4c EBP = 0012ff88

; After execution, esp = 0012ff48 EBP = 0012ff88, ESP is reduced, and EBP remains unchanged
00401061 mov EBP, ESP

Put ESP into EBP. In this case, EBP and ESP are the same, that is, esp = 0012ff48 EBP = 0012ff48

The original EBP value has been pushed to the stack (located at the top of the stack), and the new EBP just points to the top of the stack.
At this time, the EBP register is already in a very important position, which stores an address in the stack (the top of the stack after the original EBP enters the stack ),
From this address as the benchmark, you can get the return address and parameter value (if there is a parameter in main, "Get parameter value" is easier to understand,

But I will understand it when looking at the sum function call below), and can get the local variable value of the function down (the top of the stack,
The address stores the EBP value of the previous function call!
00401063 sub ESP, 44 h

Move ESP to a range
; It is equal to a piece of space in the stack to store local variables
; After executing this sentenceESP = 0012ff04 EBP = 0012ff48

00401066 push EBX
00401067 push ESI
00401068 push EDI

; Save the values of the three registers
00401069 Lea EDI, [ebp-44h]

; Load the ebp-44h to EDI to save the region of the local variable
00401_c mov ECx, 11 h
00401071 mov eax, 0 cccccccch
00401076 rep STOs dword ptr [EDI]

; Initialize from the ebp-44h to all 0 cccccch, that is, int3 breakpoint, initialize the local variable space

; Rep; CX is not equal to 0, the string command is repeatedly executed

Format: STOs OPRD

Function: store data in Al (byte) or ax (Word) to the memory unit addressed by DI as the destination string address pointer. the pointer Di will be automatically executed based on the value of DF

; Adjustment. OPRD is the destination string symbol address.

 

;The preceding statement is to open up a space in the stack and place local variables.
And then initialize the space to 0 cccccch, that is, int3 breakpoint, an interrupt command.
Because the local variables cannot be executed, an error occurs when the execution is completed. In this case, the developer is prompted for interruption.
13: int result = sum (1, 2, 3, 4 );
00401078 Push 4
0040107a Push 3
00401_c push 2
00401_e Push 1

Each parameter is added to the stack. Check the changes in the register ESP value.

; You can also see the parameter import sequence from right to left.

; Changed to: ESP = 0012fef8 --> ESP = 0012fef4 --> ESP = 0012fef0 --> ESP = 0012feec --> ESP = 0012fee8
00401080 call @ ILT + 15 (boxer) (00401014)

Call the sum function and follow up on F11

Note: F10 (step over), single-step debugging, in case of a function call, direct execution will not enter the function.

; F11 (step into), one-step debugging. When a function is called, it will enter the function.

; Shift + F11 (Step out). This shortcut is used when you want to jump out of the function.

CTRL + F10 (run to cursor ).
00401085 add ESP, 10 h

;Resume/release the stack after the function is called.ESP = 0012fef8 after the row, which is consistent with the value before the sum function parameter is added to the stack.

00401088 mov dword ptr [ebp-4], eax

; Store the result in the result. For details about the cause, refer to the final comments about ss.
14: System ("pause ");
00401_ B push offset string "pause" (00422f6c)
00401090 call system (0040eed0)
00401095 add ESP, 4

; The processing of system ("Pause") is not discussed here

15 :}
00401098 pop EDI
00401099 pop ESI
0040109a pop EBX

Restore the original register value, how to "eat" in, how to "spit out"
004010000b add ESP, 44 h

; Recover ESP, corresponding to sub ESP above, 44 h
0040da-e cmp ebp, ESP

; Check whether ESP is normal. If it is abnormal, go to the call below to debug
004010a0 call _ chkesp (004010b0)

; Handle possible stack exceptions. If yes, it will be stuck in debug
004010a5 mov ESP, EBP
004010a7 pop EBP

Restore the original ESP and EBP, so that the previous called function can be used normally.
004010a8 RET

; Save the return address to the EIP, transfer the process

 

; If the function has a return value, the return value will be put in eax to return (this is why many software have cracked the second kill, because the eax return value can be changed)

Certificate -------------------------------------------------------------------------------------------------------------------------------------------------------------------

The above is the disassembly process of the main function call. The following describes the process of calling the sum function:

In the preceding example00401080 call @ ILT + 15 (boxer) (00401014)In this sentence, F11 is used for single-step debugging. After F11, the following sentence is displayed:

00401014 JMP sum (00401020)

That is, jump to the code segment of the sum function, and then F11 is as follows:

6: int sum (int, int B, int M, int N)
7: {
00401020 push EBP
00401021 mov EBP, esp
00401023 sub ESP, 40 h
00401026 push EBX
00401027 push ESI
00401028 push EDI
00401029 Lea EDI, [ebp-40h]
0040102c mov ECx, 10 h
00401031 mov eax, 0 cccccch
00401036 rep STOs dword ptr [EDI]

It can be seen that the above is almost the same as the main function call, and each step is not described in detail. You can refer to the above main function call comments
8:Return A + B;
00401038 mov eax, dword ptr [EBP + 8]

Put the first parameter in eax
0040103b add eax, dword ptr [EBP + 0ch]

Take the second parameter and add it to the value in eax and the value exists in eax.
9 :}
0040103e pop EDI
0040103f pop ESI
00401040 pop EBX
00401041 mov ESP, EBP
00401043 pop EBP
00401044 RET
Closing operation, only the ESP check operation is less than the front side

 

Notes about the SS section:

In general, the return address is SS: [EBP + 4 ].
; SS: [EBP + 8] is the first parameter value (here is a), and SS: [EBP + 0ch] is the second parameter (here is B, here 8 + 4 = 12 = 0ch)
; SS: [ebp-4] is the first local variable (such as the result in main), SS: [EBP] is the EBP value of the previous Layer
The EBP and function return values are 32 bits, so they take up 4 bytes.

conclusion